Trying to Stem Fallout From Breach, Equifax Replaces C.E.O.

When the board of Equifax convened last week to discuss the company’s response to an enormous data breach, the 10 outside directors concluded that it was time for their hard-driving chief executive to step down.

There was a problem, though. The roster of possible replacements had been depleted by the fallout from the cyberattack, which had compromised the personal information of much of the adult population of the United States.

Some top contenders were considered tainted, according to two people briefed on the board’s deliberations. Three of the company’s senior executives, including the head of its largest division and the chief financial officer, are under scrutiny for selling stock after the breach was discovered but before it had been disclosed to the public.

Equifax spent five more days limping through the crisis before announcing on Tuesday that the chief executive, Richard F. Smith, would retire.

The shake-up is the culmination of weeks of mounting public and legal pressure on the Atlanta-based data clearinghouse from citizens, politicians and investors. The company’s lackluster response to the breach has prompted consumer outrage, while lawmakers have begun pushing for tougher oversight of the industry.

Although Mr. Smith retired, the board took an unusual step that reflected the damage from the breach. The board said it could retroactively classify Mr. Smith as having been fired for cause. If that were to happen, Mr. Smith would probably be required to forgo or repay certain compensation.

Mr. Smith will be replaced on an interim basis by the company’s head of its Asia-Pacific region, Paulino do Rego Barros Jr. One of Equifax’s outside board members, Mark Feidler, will succeed Mr. Smith as nonexecutive chairman. The company is now conducting a search for a permanent chief executive that includes internal and external candidates.

“Speaking for everyone on the board, I sincerely apologize,” said Mr. Feidler, an Atlanta-based private equity executive.

But management changes alone are unlikely to quell the complaints of critics.

Multiple congressional committees are planning hearings into the breach and Equifax’s response to it. More than 30 state law-enforcement authorities have opened inquiries, as has the F.B.I.

Senator Elizabeth Warren, Democrat of Massachusetts, said Tuesday that it is “not real accountability if the guy promoted to chairman is an Equifax board member who served on the committee that was responsible for overseeing data security.”

The Equifax breach, which exposed the personal information of up to 143 million Americans, has cast a harsh spotlight on the company’s governance.

Its board of directors largely consists of low-profile retired corporate executives. Half of the 10 outside board members are past or present fixtures of the Atlanta business community.

Mr. Smith, 57, took over as chief executive in 2005, after a 22-year career at General Electric in which he worked in the conglomerate’s asset-management, insurance and leasing divisions. At Equifax, he presided over a period of rapidly growing sales, driven by expanding troves of sensitive personal data. Profits rose, and the stock price followed.

When the crisis hit, the company stumbled.

Its website repeatedly crashed as millions of desperate individuals tried to find out whether their information was part of the breach. People who were potentially affected were unable to sign up for protection the company was offering or, even if they had been successful, could not get the service activated. Equifax also charged many people to freeze their credit files before reversing course in the wake of fierce criticism.

In an early bid to contain the crisis, Equifax said on Sept. 14 that two top executives, its chief information officer and chief security officer, were stepping down.

But the storm was intensifying — and the board decided it needed to take more drastic action.

Before the attack, the company would most likely have turned to its top executive ranks. One obvious candidate, Joseph M. Loughran III, runs Equifax’s core credit reporting division and previously served as its chief marketing officer.

By the time Equifax’s board meeting began last Wednesday evening, it was clear that Mr. Loughran and others were no longer in the running.

Three executives, including Mr. Loughran, had sold $1.8 million worth of shares in the days after the hack was discovered. The company says the executives who sold shares had not been aware of the breach at the time of the sales.

With a limited pool of candidates, the board turned to Mr. Barros, who joined Equifax in 2010 and was most recently based in Sydney, Australia. Before that, he had a long career working at telecommunications companies including BellSouth and AT&T.

“He is an experienced leader with deep knowledge of our company and the industry,” said Ines Gutzmer, an Equifax spokeswoman. “The board of directors has absolute confidence in his ability to guide the company through this transition.”

Mr. Feidler, the new chairman, comes from a similar background as Mr. Barros. A longtime telecom executive and banker, Mr. Feidler was president and chief operating officer at BellSouth until its 2006 merger with AT&T. The following year, he co-founded the Atlanta private-equity firm MSouth Equity Partners.

Equifax’s board has created a special committee to review the data breach. As part of his departure agreement, Mr. Smith agreed that Equifax can decide at a later date on the specific terms of his departure, based on the findings of the special committee.

“Mr. Smith has been very cooperative and supportive of this approach,” said Wyatt Jefferies, an Equifax spokesman.

Mr. Smith will retain about $18.4 million in pension benefits, according to a regulatory filing. He also holds around $20.8 million in stock awards, according to Equilar, which tracks executive compensation. Those shares would be forfeited if his termination is decided to have been for cause.

Mr. Smith owns Equifax shares worth $23.6 million. He received bonuses of roughly $3 million in 2015 and 2016, but agreed to waive any bonus for this year after the hack.

Mr. Smith had been scheduled to appear at two congressional hearings next week, but his departure raised questions about whether he could choose not to testify.

“A C.E.O. walking out the door just days before he is to appear before Congress is an abdication of his responsibility,” said Senator Brian Schatz, Democrat of Hawaii.

Mr. Jefferies, the Equifax spokesman, indicated that Mr. Smith would still cooperate.

“If Congress asks him, he will go,” Mr. Jefferies said.

Correction:Sept. 26, 2017

Because of an editing error, an earlier version of this article misstated the surname of the Equifax board chairman. He is Mark Feidler, not Feilder.

Tara Siegel Bernard contributed reporting.

A version of this article appears in print on , on Page B1 of the New York edition with the headline: Replacing Its C.E.O., Equifax Tries To Turn Page. Order Reprints | Today’s Paper | Subscribe